The real power of the security plugins like Shield is automation. Manually suspending an account is useful when it needs to be done at a certain point of time, but this doesn’t scale. So you need the ability to suspend users once certain conditions are met – for example expired passwords, or inactivity.
Shield's user Suspension feature allows administrators to manually and automatically suspend any user account.
While providing the ability to manually suspend users is a great step forward, it’s not a complete solution. True power comes from having the ability to automatically suspend user accounts based on certain criteria.
More specifically, the criteria we’re providing with Shield are:
- expired passwords
- idle account (i.e. no login or password reset for an extended period)
- custom user role – i.e. you select which user roles are subject to auto-suspension
If a user hasn’t logged-in (or reset their password) for, say, 1 year, you might consider that account inactive. Instead of leaving that account open on your site, Shield will automatically suspend it and prompt the user to reset their password (and thereby reactivate their account).
How to automatically suspend WordPress users
To automatically suspend WordPress users, you can go to the Shield => Settings => User Management module => and enable 'Auto-Suspend Expired Passwords' option:
Important: This option requires password expiration policy to be set.
When this is enabled, it'll automatically suspend login by users and require password reset to unsuspend:
Apart from this, as mentioned above, you can auto-suspend idle (inactive) users. To do this, you may specify the number of days since last login to consider a user as idle, and user roles you want to apply auto-suspension to:
Important: Automatic suspension for idle accounts applies only to the roles you specify.
When this is set, it'll automatically suspend login for idle accounts and require password reset to unsuspend:
To learn what to do about inactive WordPress accounts, read the blog article here.